Tech Support Forum - View Single Post - Everything gone crazy ( Trojan.win32.mondera.gen )

Webdrifter · 06-17-2008, 08:26 PM

As for your question regarding crack/torrent programs I purchased Zone alarm and Spyware doctor off of their web sites and they are both legal. I just purchased spyware doctor about a week ago right after this problem started. I know you said delete one of my antivirus programs, but could I just disable spyware doctor, and run scans from time to time manually without it conflicting with Zone alarm?

Here are the 3 files that you requested..... Once again thanks.

SDFix: Version 1.194
Run by Administrator on Tue 06/17/2008 at 06:02 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\Fonts\Setup.exe - Deleted
C:\WINDOWS\Fonts\'\*.zip - 26495 File(s) 6,809,215 bytes - Deleted

Folder C:\Temp\tmpvc14 - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 18:32:55
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi]
"ErrorControl"=dword:00000001
"Group"="SCSI miniport"
"Start"=dword:00000000
"Tag"=dword:00000019
"Type"=dword:00000001
"DisplayName"="Standard IDE/ESDI Hard Disk Controller"
"ImagePath"=str(2):"System32\DRIVERS\atapi.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atinx2k]
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"Start"=dword:00000001
"ImagePath"=str(2):"system32\drivers\atinx2k.sys"
"Data"=hex:c2,7f,e7,d8,97,e5,29,68,7d,9c,c8,ac,f9,fe,5d,81,83,9f,34,4b,1e,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\watvex]
"Type"=dword:00000002
"ErrorControl"=dword:00000001
"Start"=dword:00000000
"Group"="filter"
"ImagePath"=str(2):"system32\drivers\watvex.sys"
"Tag"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\atapi]
"ErrorControl"=dword:00000001
"Group"="SCSI miniport"
"Start"=dword:00000000
"Tag"=dword:00000019
"Type"=dword:00000001
"DisplayName"="Standard IDE/ESDI Hard Disk Controller"
"ImagePath"=str(2):"System32\DRIVERS\atapi.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\atinx2k]
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"Start"=dword:00000001
"ImagePath"=str(2):"system32\drivers\atinx2k.sys"
"Data"=hex:c2,7f,e7,d8,97,e5,29,68,7d,9c,c8,ac,f9,fe,5d,81,83,9f,34,4b,1e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\watvex]
"Type"=dword:00000002
"ErrorControl"=dword:00000001
"Start"=dword:00000000
"Group"="filter"
"ImagePath"=str(2):"system32\drivers\watvex.sys"
"Tag"=dword:00000007

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\atinx2k.sys 462080 bytes executable
C:\WINDOWS\system32\drivers\watvex.sys 20480 bytes executable
C:\WINDOWS\system32\dsqcache.dll 76998828 bytes
C:\WINDOWS\system32\usr32.dll 118784 bytes executable
C:\WINDOWS\system32\setsvr.exe 2224128 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 3
hidden files: 5

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 19 Jul 2000 398,416 ...HR --- "C:\BIBLEBB\VBRUN300.DLL"
Sat 19 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT3.tmp"
Thu 12 Jun 2008 23,040 ...H. --- "C:\Documents and Settings\Randy\Application Data\Microsoft\Word\~WRL0003.tmp"
Thu 12 Jun 2008 23,040 ...H. --- "C:\Documents and Settings\Randy\Application Data\Microsoft\Word\~WRL0005.tmp"
Thu 12 Jun 2008 24,064 ...H. --- "C:\Documents and Settings\Randy\Application Data\Microsoft\Word\~WRL1341.tmp"

Finished!

ComboFix 08-06-16.2 - Randy 2008-06-17 20:23:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.136 [GMT -5:00]
Running from: C:\Documents and Settings\Randy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Randy\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Fonts\'
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\escfhext.ini
C:\WINDOWS\system32\fqbspmtq.dll
C:\WINDOWS\system32\gniffcnv.ini
C:\WINDOWS\system32\gNXHNXbc.ini
C:\WINDOWS\system32\gNXHNXbc.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ridtrkco.dll
C:\WINDOWS\system32\vbfecgaf.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 19:30 . 2008-06-17 20:14 <DIR> d-------- C:\XPSP2
2008-06-17 19:30 . 2008-06-17 19:32 <DIR> d-------- C:\XPCDi386
2008-06-17 17:57 . 2008-06-17 17:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-17 17:56 . 2008-06-17 17:56 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-17 17:52 . 2008-06-17 18:36 <DIR> d-------- C:\SDFix
2008-06-16 20:55 . 2008-06-16 20:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-15 22:13 . 2008-06-15 22:13 <DIR> d-------- C:\Deckard
2008-06-14 00:06 . 2008-06-14 00:06 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-13 23:37 . 2008-06-13 23:37 <DIR> d-------- C:\Program Files\Sun
2008-06-12 10:55 . 2008-06-12 10:55 <DIR> d-------- C:\Program Files\Karen's Power Tools
2008-06-12 10:55 . 2008-06-12 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Karen's Power Tools
2008-06-12 10:08 . 2008-06-12 10:08 <DIR> d-------- C:\ie-spyad_zo
2008-06-10 16:41 . 2008-06-10 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-10 12:20 . 2008-04-14 06:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 22:53 . 2008-06-10 17:48 <DIR> d-------- C:\Program Files\Security Task Manager
2008-06-09 22:53 . 2008-06-11 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-09 08:20 . 2008-06-09 08:22 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-06-09 08:20 . 2008-04-10 15:14 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-06-09 08:19 . 2008-06-09 08:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-08 22:55 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-08 22:55 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-08 22:55 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-08 22:55 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-08 22:54 . 2008-06-17 20:41 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-08 22:54 . 2008-06-08 22:54 <DIR> d-------- C:\Documents and Settings\Randy\Application Data\PC Tools
2008-06-07 16:00 . 2008-06-10 16:01 48 --a------ C:\WINDOWS\BM7bf9ca38.xml
2008-05-20 17:26 . 2008-05-20 17:26 <DIR> d-------- C:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 01:51 16,697,888 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-18 01:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-18 01:40 6,810,675 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-18 01:39 226,748 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-17 22:48 --------- d-----w C:\Program Files\Java
2008-06-16 22:36 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-15 19:15 --------- d-----w C:\Program Files\OpenedFilesView
2008-06-12 18:08 2,423 ----a-w C:\WINDOWS\dep32ceg.dll
2008-06-12 15:17 --------- d-----w C:\Program Files\Essentials Codec Pack
2008-06-12 00:56 277,504 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-06-12 00:56 2,834,432 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-06-11 22:15 --------- d-----w C:\Program Files\Mozilla Sunbird
2008-06-10 13:25 80,384 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-06-09 16:56 46,592 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-06-09 14:30 570,880 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-06-07 20:00 2,756,608 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-06-07 20:00 12,800 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-06-07 19:58 2,756,608 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-06-07 19:58 13,312 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-06-07 19:56 1,740,288 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-06-07 14:57 2,811,904 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-06-07 14:57 2,721,280 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-06-07 02:55 2,707,968 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-06-07 02:55 1,603,584 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-06-06 21:34 443,904 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-05-31 16:00 222,208 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-05-25 20:15 658,432 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp
2008-05-19 21:50 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-11 19:48 --------- d-----w C:\Program Files\Stellarium
2008-05-11 19:48 --------- d-----w C:\Documents and Settings\Randy\Application Data\Stellarium
2008-05-11 19:21 --------- d-----w C:\Program Files\Calendar Magic
2008-05-11 18:59 53,248 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-05-11 13:03 --------- d-----w C:\Program Files\Sudoktor
2008-05-11 04:14 2,184,704 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-05-11 01:16 --------- d-----w C:\Program Files\LimeWire
2008-05-11 01:16 --------- d-----w C:\Documents and Settings\Randy\Application Data\LimeWire
2008-05-11 00:43 147,456 ----a-w C:\WINDOWS\system32\vbzip10.dll
2008-05-10 04:50 --------- d-----w C:\Program Files\EssentialPIM
2008-05-10 04:50 --------- d-----w C:\Documents and Settings\Randy\Application Data\EssentialPIM
2008-05-10 04:45 --------- d-----w C:\Program Files\Rainlendar2
2008-05-10 03:17 --------- d-----w C:\Documents and Settings\Randy\Application Data\Talkback
2008-05-09 18:32 --------- d-----w C:\Program Files\e-Sword
2008-05-09 14:34 --------- d-----w C:\Program Files\BeST 2.0 Standard
2008-05-09 14:17 --------- d-----w C:\Program Files\Reference Assemblies
2008-05-09 14:17 --------- d-----w C:\Program Files\MSBuild
2008-05-09 14:11 --------- d-----w C:\Program Files\MSXML 6.0
2008-05-09 11:49 --------- d-----w C:\Program Files\Pocket e-Sword
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 00:24 --------- d-----w C:\Program Files\Music Rescue
2008-05-07 00:15 --------- d-----w C:\Documents and Settings\Randy\Application Data\iPod Copy Expert
2008-05-03 23:43 --------- d-----w C:\Program Files\iPod Copy Expert
2008-05-03 22:11 --------- d-----w C:\Program Files\iTunes
2008-05-03 22:11 --------- d-----w C:\Documents and Settings\Randy\Application Data\Apple Computer
2008-05-03 22:10 --------- d-----w C:\Program Files\QuickTime
2008-05-03 22:10 --------- d-----w C:\Program Files\iPod
2008-05-03 22:10 --------- d-----w C:\Program Files\Bonjour
2008-05-03 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-03 22:07 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-03 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-27 14:06 --------- d-----w C:\Program Files\RegCure
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-11 05:06 39,424 ----a-w C:\WINDOWS\zipinst.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 06:17 81920]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"stezinit"="C:\WINDOWS\sprscore.exe" [2007-12-09 17:28 753664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 11:44 303104]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]
"gretinit"="C:\WINDOWS\sprscore.exe" [2007-12-09 17:28 753664]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 16:31 655360]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfcAssT]
khfcAssT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 16:53:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-18 01:49:47 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-06-12 23:16:19 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 20:51:08
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\atinx2k.sys 462080 bytes executable
C:\WINDOWS\system32\drivers\watvex.sys 20480 bytes executable
C:\WINDOWS\system32\dsqcache.dll 84650617 bytes
C:\WINDOWS\system32\usr32.dll 118784 bytes executable
C:\WINDOWS\system32\setsvr.exe 2224128 bytes executable

scan completed successfully
hidden files: 5

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="System32\DRIVERS\atapi.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atinx2k]
"ImagePath"="system32\drivers\atinx2k.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\watvex]
"ImagePath"="system32\drivers\watvex.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\winfsysrn.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\rundys32.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-17 20:55:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-18 01:55:12

Pre-Run: 122,001,920,000 bytes free
Post-Run: 121,870,667,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

229 --- E O F --- 2008-06-15 03:01:52

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:23 PM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\sprscore.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\rundys32.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [stezinit] C:\WINDOWS\sprscore.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [gretinit] C:\WINDOWS\sprscore.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.pandasecurity.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3DA2AAF4-4289-4D6E-B9C0-D8360229607B} (IPAQSelfHelp Class) - https://h50203.www5.hp.com/HPISWeb/C...PEIPAQTool.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200722177342
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200726449030
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: khfcAssT - khfcAssT.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8663 bytes

06-17-2008, 08:26 PM	#6 (permalink)
Webdrifter Registered User Join Date: Jun 2008 Posts: 9 OS: xp	Re: Everything gone crazy ( Trojan.win32.mondera.gen ) As for your question regarding crack/torrent programs I purchased Zone alarm and Spyware doctor off of their web sites and they are both legal. I just purchased spyware doctor about a week ago right after this problem started. I know you said delete one of my antivirus programs, but could I just disable spyware doctor, and run scans from time to time manually without it conflicting with Zone alarm? Here are the 3 files that you requested..... Once again thanks. SDFix: Version 1.194 Run by Administrator on Tue 06/17/2008 at 06:02 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\Fonts\Setup.exe - Deleted C:\WINDOWS\Fonts\'\.zip - 26495 File(s) 6,809,215 bytes - Deleted Folder C:\Temp\tmpvc14 - Removed Removing Temp Files ADS Check* : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-17 18:32:55 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi] "ErrorControl"=dword:00000001 "Group"="SCSI miniport" "Start"=dword:00000000 "Tag"=dword:00000019 "Type"=dword:00000001 "DisplayName"="Standard IDE/ESDI Hard Disk Controller" "ImagePath"=str(2):"System32\DRIVERS\atapi.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atinx2k] "Type"=dword:00000001 "ErrorControl"=dword:00000001 "Start"=dword:00000001 "ImagePath"=str(2):"system32\drivers\atinx2k.sys" "Data"=hex:c2,7f,e7,d8,97,e5,29,68,7d,9c,c8,ac,f9,fe,5d,81,83,9f,34,4b,1e,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\watvex] "Type"=dword:00000002 "ErrorControl"=dword:00000001 "Start"=dword:00000000 "Group"="filter" "ImagePath"=str(2):"system32\drivers\watvex.sys" "Tag"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\atapi] "ErrorControl"=dword:00000001 "Group"="SCSI miniport" "Start"=dword:00000000 "Tag"=dword:00000019 "Type"=dword:00000001 "DisplayName"="Standard IDE/ESDI Hard Disk Controller" "ImagePath"=str(2):"System32\DRIVERS\atapi.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\atinx2k] "Type"=dword:00000001 "ErrorControl"=dword:00000001 "Start"=dword:00000001 "ImagePath"=str(2):"system32\drivers\atinx2k.sys" "Data"=hex:c2,7f,e7,d8,97,e5,29,68,7d,9c,c8,ac,f9,fe,5d,81,83,9f,34,4b,1e,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\watvex] "Type"=dword:00000002 "ErrorControl"=dword:00000001 "Start"=dword:00000000 "Group"="filter" "ImagePath"=str(2):"system32\drivers\watvex.sys" "Tag"=dword:00000007 scanning hidden registry entries ... scanning hidden files ... C:\WINDOWS\system32\drivers\atinx2k.sys 462080 bytes executable C:\WINDOWS\system32\drivers\watvex.sys 20480 bytes executable C:\WINDOWS\system32\dsqcache.dll 76998828 bytes C:\WINDOWS\system32\usr32.dll 118784 bytes executable C:\WINDOWS\system32\setsvr.exe 2224128 bytes executable scan completed successfully hidden processes: 0 hidden services: 3 hidden files: 5 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager" "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager" "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe::Enabled:LimeWire" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe::Enabled:Bonjour" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager" "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager" "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application" Remaining Files* : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Wed 19 Jul 2000 398,416 ...HR --- "C:\BIBLEBB\VBRUN300.DLL" Sat 19 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT3.tmp" Thu 12 Jun 2008 23,040 ...H. --- "C:\Documents and Settings\Randy\Application Data\Microsoft\Word\~WRL0003.tmp" Thu 12 Jun 2008 23,040 ...H. --- "C:\Documents and Settings\Randy\Application Data\Microsoft\Word\~WRL0005.tmp" Thu 12 Jun 2008 24,064 ...H. --- "C:\Documents and Settings\Randy\Application Data\Microsoft\Word\~WRL1341.tmp" Finished! ComboFix 08-06-16.2 - Randy 2008-06-17 20:23:54.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.136 [GMT -5:00] Running from: C:\Documents and Settings\Randy\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Randy\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\cookies.ini C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\Fonts\' C:\WINDOWS\pskt.ini C:\WINDOWS\system32\escfhext.ini C:\WINDOWS\system32\fqbspmtq.dll C:\WINDOWS\system32\gniffcnv.ini C:\WINDOWS\system32\gNXHNXbc.ini C:\WINDOWS\system32\gNXHNXbc.ini2 C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\ridtrkco.dll C:\WINDOWS\system32\vbfecgaf.dll . ((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 ))))))))))))))))))))))))))))))) . 2008-06-17 19:30 . 2008-06-17 20:14 <DIR> d-------- C:\XPSP2 2008-06-17 19:30 . 2008-06-17 19:32 <DIR> d-------- C:\XPCDi386 2008-06-17 17:57 . 2008-06-17 17:57 <DIR> d-------- C:\WINDOWS\ERUNT 2008-06-17 17:56 . 2008-06-17 17:56 <DIR> d-------- C:\Documents and Settings\Administrator 2008-06-17 17:52 . 2008-06-17 18:36 <DIR> d-------- C:\SDFix 2008-06-16 20:55 . 2008-06-16 20:55 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-15 22:13 . 2008-06-15 22:13 <DIR> d-------- C:\Deckard 2008-06-14 00:06 . 2008-06-14 00:06 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-06-13 23:37 . 2008-06-13 23:37 <DIR> d-------- C:\Program Files\Sun 2008-06-12 10:55 . 2008-06-12 10:55 <DIR> d-------- C:\Program Files\Karen's Power Tools 2008-06-12 10:55 . 2008-06-12 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Karen's Power Tools 2008-06-12 10:08 . 2008-06-12 10:08 <DIR> d-------- C:\ie-spyad_zo 2008-06-10 16:41 . 2008-06-10 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles 2008-06-10 12:20 . 2008-04-14 06:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-09 22:53 . 2008-06-10 17:48 <DIR> d-------- C:\Program Files\Security Task Manager 2008-06-09 22:53 . 2008-06-11 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan 2008-06-09 08:20 . 2008-06-09 08:22 <DIR> d-------- C:\Program Files\Common Files\PC Tools 2008-06-09 08:20 . 2008-04-10 15:14 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys 2008-06-09 08:19 . 2008-06-09 08:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools 2008-06-08 22:55 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-06-08 22:55 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-06-08 22:55 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-06-08 22:55 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-06-08 22:54 . 2008-06-17 20:41 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-06-08 22:54 . 2008-06-08 22:54 <DIR> d-------- C:\Documents and Settings\Randy\Application Data\PC Tools 2008-06-07 16:00 . 2008-06-10 16:01 48 --a------ C:\WINDOWS\BM7bf9ca38.xml 2008-05-20 17:26 . 2008-05-20 17:26 <DIR> d-------- C:\Program Files\Apple Software Update . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-18 01:51 16,697,888 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-18 01:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-18 01:40 6,810,675 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2008-06-18 01:39 226,748 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-06-17 22:48 --------- d-----w C:\Program Files\Java 2008-06-16 22:36 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-06-15 19:15 --------- d-----w C:\Program Files\OpenedFilesView 2008-06-12 18:08 2,423 ----a-w C:\WINDOWS\dep32ceg.dll 2008-06-12 15:17 --------- d-----w C:\Program Files\Essentials Codec Pack 2008-06-12 00:56 277,504 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp 2008-06-12 00:56 2,834,432 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp 2008-06-11 22:15 --------- d-----w C:\Program Files\Mozilla Sunbird 2008-06-10 13:25 80,384 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp 2008-06-09 16:56 46,592 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp 2008-06-09 14:30 570,880 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp 2008-06-07 20:00 2,756,608 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp 2008-06-07 20:00 12,800 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp 2008-06-07 19:58 2,756,608 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp 2008-06-07 19:58 13,312 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp 2008-06-07 19:56 1,740,288 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp 2008-06-07 14:57 2,811,904 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp 2008-06-07 14:57 2,721,280 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp 2008-06-07 02:55 2,707,968 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp 2008-06-07 02:55 1,603,584 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp 2008-06-06 21:34 443,904 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp 2008-05-31 16:00 222,208 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp 2008-05-25 20:15 658,432 ----a-w C:\WINDOWS\Internet Logs\xDB23.tmp 2008-05-19 21:50 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-05-11 19:48 --------- d-----w C:\Program Files\Stellarium 2008-05-11 19:48 --------- d-----w C:\Documents and Settings\Randy\Application Data\Stellarium 2008-05-11 19:21 --------- d-----w C:\Program Files\Calendar Magic 2008-05-11 18:59 53,248 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp 2008-05-11 13:03 --------- d-----w C:\Program Files\Sudoktor 2008-05-11 04:14 2,184,704 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp 2008-05-11 01:16 --------- d-----w C:\Program Files\LimeWire 2008-05-11 01:16 --------- d-----w C:\Documents and Settings\Randy\Application Data\LimeWire 2008-05-11 00:43 147,456 ----a-w C:\WINDOWS\system32\vbzip10.dll 2008-05-10 04:50 --------- d-----w C:\Program Files\EssentialPIM 2008-05-10 04:50 --------- d-----w C:\Documents and Settings\Randy\Application Data\EssentialPIM 2008-05-10 04:45 --------- d-----w C:\Program Files\Rainlendar2 2008-05-10 03:17 --------- d-----w C:\Documents and Settings\Randy\Application Data\Talkback 2008-05-09 18:32 --------- d-----w C:\Program Files\e-Sword 2008-05-09 14:34 --------- d-----w C:\Program Files\BeST 2.0 Standard 2008-05-09 14:17 --------- d-----w C:\Program Files\Reference Assemblies 2008-05-09 14:17 --------- d-----w C:\Program Files\MSBuild 2008-05-09 14:11 --------- d-----w C:\Program Files\MSXML 6.0 2008-05-09 11:49 --------- d-----w C:\Program Files\Pocket e-Sword 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-07 00:24 --------- d-----w C:\Program Files\Music Rescue 2008-05-07 00:15 --------- d-----w C:\Documents and Settings\Randy\Application Data\iPod Copy Expert 2008-05-03 23:43 --------- d-----w C:\Program Files\iPod Copy Expert 2008-05-03 22:11 --------- d-----w C:\Program Files\iTunes 2008-05-03 22:11 --------- d-----w C:\Documents and Settings\Randy\Application Data\Apple Computer 2008-05-03 22:10 --------- d-----w C:\Program Files\QuickTime 2008-05-03 22:10 --------- d-----w C:\Program Files\iPod 2008-05-03 22:10 --------- d-----w C:\Program Files\Bonjour 2008-05-03 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-05-03 22:07 --------- d-----w C:\Program Files\Common Files\Apple 2008-05-03 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2008-04-27 14:06 --------- d-----w C:\Program Files\RegCure 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-04-11 05:06 39,424 ----a-w C:\WINDOWS\zipinst.exe 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 06:17 81920] "H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2006-11-13 13:39 1289000] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016] "stezinit"="C:\WINDOWS\sprscore.exe" [2007-12-09 17:28 753664] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696] "nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776] "Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 11:44 303104] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848] "gretinit"="C:\WINDOWS\sprscore.exe" [2007-12-09 17:28 753664] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 16:31 655360] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfcAssT] khfcAssT.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14] . Contents of the 'Scheduled Tasks' folder "2008-06-14 16:53:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-18 01:49:47 C:\WINDOWS\Tasks\RegCure Program Check.job" - C:\Program Files\RegCure\RegCure.exe "2008-06-12 23:16:19 C:\WINDOWS\Tasks\RegCure.job" - C:\Program Files\RegCure\RegCure.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-17 20:51:08 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\drivers\atinx2k.sys 462080 bytes executable C:\WINDOWS\system32\drivers\watvex.sys 20480 bytes executable C:\WINDOWS\system32\dsqcache.dll 84650617 bytes C:\WINDOWS\system32\usr32.dll 118784 bytes executable C:\WINDOWS\system32\setsvr.exe 2224128 bytes executable scan completed successfully hidden files: 5 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi] "ImagePath"="System32\DRIVERS\atapi.sys" -- [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atinx2k] "ImagePath"="system32\drivers\atinx2k.sys" -- [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\watvex] "ImagePath"="system32\drivers\watvex.sys" . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\winfsysrn.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\rundys32.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2008-06-17 20:55:30 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-18 01:55:12 Pre-Run: 122,001,920,000 bytes free Post-Run: 121,870,667,776 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 229 --- E O F --- 2008-06-15 03:01:52 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:02:23 PM, on 6/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\sprscore.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\PROGRA~1\MICROS~4\wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\rundys32.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [stezinit] C:\WINDOWS\sprscore.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [gretinit] C:\WINDOWS\sprscore.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.pandasecurity.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {3DA2AAF4-4289-4D6E-B9C0-D8360229607B} (IPAQSelfHelp Class) - https://h50203.www5.hp.com/HPISWeb/C...PEIPAQTool.CAB O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200722177342 O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200726449030 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O20 - Winlogon Notify: khfcAssT - khfcAssT.dll (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 8663 bytes